Security Weekly News 12 November 2010 – Full List

Category Index

Hacking Incidents / Cybercrime

Zombie text sending malware is racking up $300,000 in charges per day.
More than 1 million cell phone users in China has been infected with a virus that automatically sends text messages, and the attack is costing users a combined 2 million yuan ($300,000 U.S.) per day.
According to Shanghai Daily, ‘the ‘zombie’ virus, hidden in a bogus antivirus application, can send the phone user’s SIM card information to hackers, who then remotely control the phone to send URL links.’
Amnesty International Hong Kong Website Injected With Latest Internet Explorer 0-day  [community.websense.com]
Websense Security Labs™ ThreatSeeker™ Network has detected that the Hong Kong Website of human rights organization Amnesty International has been compromised by multiple exploits, including the most recent Microsoft Internet Explorer 0-day. In one attack, an iframe has been injected into the index page, resulting in a quiet redirection of any visitor to an exploit server controlled by the cyber criminals. Websense customers are protected from this exploit by our ACE real-time analytics.
The exploit server is hosted in the United States. It combines several recent vulnerabilities in Adobe Flash, Adobe Shockwave, Apple QuickTime, and Internet Explorer.
And that’s not all
In a separate attack from the injected iframe just described, the Hong Kong Amnesty International Website has also been injected directly in one of its inner directories with code that exploits the latest 0-day vulnerability in Internet Explorer (CVE-2010-3962). This vulnerability was found only a few days ago and has not yet been patched.
The following web hacking incidents were added to WHID in the past week:
1. WHID 2010-216: DDoS: Myanmar attacks larger than those against Estonia and Georgia – http://bit.ly/cZBLWG
2. WHID 2010-215: Hacker Claims Full Compromise of Royal Navy Website – http://bit.ly/dg9v6q
3. WHID 2010-214: Attack cause Intuit Web-hosting service outage? – http://bit.ly/dn8yed
4. WHID 2010-213: Cops: Hacker Posted Stolen X-rated Pics on Facebook – http://bit.ly/a2Na5I
5. WHID 2010-212: Cheapflights claims Twitter account hacked after X-Factor tirade – http://bit.ly/bEYb2y
Twenty-two porn sites — some riddled with spam and relating to drunken prostitutes — were accessed from a computer rented to a businessman by a travel agent, a court heard yesterday.
A computer virus crippled the travel firm’s entire IT system for several days in 2008, leaving the company unable to send emails to its customers.
The company, Neenan Travel Ltd of South Leinster Street, Dublin, sued travel agent Omar Bounazou of Grangebrook Vale, Rathfarnham, Dublin, for more than €7,000, which was the cost of restoring its system.
In turn, Mr Bounazou claimed he was owed air-travel rebates worth more than €17,000, which he said were not passed on to him by the travel firm.
WASHINGTON — Details about the Stuxnet worm, a highly-engineered piece of malicious software that targeted industrial control systems, have trickled out since it made international news earlier this fall. The sophistication of the malware combined with its ability to target the controllers that run power plants and other infrastructure facilities impressed many security experts.
At a small conference on cybersecurity sponsored by TechAmerica, Symantec’s Brian Tillett put a number on the size of the team that built the virus. He said that traces of more than 30 programmers have been found in source code.
Facebook continues being a popular target for malware authors as we discover yet another family that uses this popular social network to propagate. The main component, which we detect as Trojan:Java/Boonana, is written in Java which gives it cross platform capability infecting Windows, Mac and Linux users.
Are documents in the dossier as a list of names and mobile phone numbers and email addresses of senior law enforcement
The Executive ensures that the safety of the trip is ‘guaranteed’ after changing the details have been released
A citizen in the street found a portfolio of eleven sheets with alleged confidential information of the police presence planned for the Pope’s visit to Barcelona to spend the Holy Family, as reported by the station Rac 1. She found him on Tuesday night while walking his dog on the Via Augusta in Barcelona, among Travessera de Gracia and Antúnez Lluís street in the heart of the city.
Sources of the Autonomous Police have said they will ‘discuss and consider’ the situation, and have traveled to the station to collect the documentation. Are documents in the dossier as a list of names and mobile phone numbers and email addresses of senior officers of the security forces, with the seal of the Ministry of Interior, which met Oct. 7 to discuss the organization Operations Coordination Center.
The Royal Navy’s official website had to be shut down yesterday after it was infiltrated by a notorious hacker.
The internet rogue is said to have exposed worryingly lax security on the site.
Know only as TinKode, the Romania-based hacker claimed to have obtained an administrator username and password for the Ministry of Defencerun webpage. This potentially allowed access to highly-sensitive information on a database. The scare is a major embarrassment for the Government
Authorities in the United States and Moldova apprehended at least eight individuals alleged to have helped launder cash for an international cyber crime gang that stole more than $70 million from small to mid-sized organizations in recent months.
In Wisconsin, police arrested two young men who were wanted as part of a crackdown in late September on money mules who were in the United States on J1 student visas. The men, both 21 years old, are thought to have helped transfer money overseas that was stolen from U.S. organizations with the help of malicious software planted by attackers in Eastern Europe.
A hacker at Washington State University gave students and information-technology staff members another reason to remember the Fifth of November this year.
Students and instructors arriving for class on Friday morning were greeted by a video message automatically beamed onto projector screens in more than two dozen classrooms. The message was delivered by a hacker dressed up as V, the Guy Fawkes-inspired anti-hero of the 2006 movie V for Vendetta. After hacking into the university’s academic media system, which manages classroom-presentation and distance-learning technology, the as-of-yet-unidentified culprit or culprits programmed motorized screens to unfurl themselves and scheduled projectors to broadcast the five-minute-long video once every hour. The video-ostensibly a diatribe against campus squirrels and a call to end student apathy-interrupted lectures and cut off access for distance-learning students until the IT staff was able to shut down the program in the early afternoon.

Online Services Vulnerabilities

Google Shop Online website sell the products online like souvenir.
” How do we keep your information secure?
The personal information that you provide to Google Store, including your credit card or other payment information, is maintained on secure servers and protected by industry-standard Secure Socket Layer encryption. When entering personal information, look for an icon at the bottom of your browser window that indicates you are on a secure page.”

Unpatched Vulnerabilities

Adobe: hole closed, hole open [www.h-online.com]
Keeping track of which versions of which Adobe products have how many holes is beginning to be difficult. Adobe has confirmed a further unpatched hole in Adobe Reader that can very likely be exploited to infect a PC. Apparently, a flawed JavaScript function (Doc.printSeps) is responsible for the critical hole. An exploit is already in circulation, but it only causes the application to crash.
A security expert working at Alert Logic has published a demonstration back door exploit for smartphones running Android. Criminals could use the principles of this exploit to gain control of a phone and install trojans. A potential victim need only call a malicious web site for infection to occur.
In this article, I will discuss the security concerns I have regarding how URL Schemes are registered and invoked in iOS.
Now, let us assume the user has Skype.app installed. Let us also assume that the user has launched Skype in the past and that application has cached the userʼs credentials (this is most often the case: users on mobile devices donʼt want to repeatedly enter their credentials so this is not an unfair assumption). Now, what do you think happens when a malicious site renders the following HTML?
In this case, Safari throws no warning, and yanks the user into Skype which immediately initiates the call. The security implications of this is obvious, including the additional abuse case where a malicious site can make Skype.app call a Skype-id who can then uncloak the victimʼs identity (by analyzing the victimʼs Skype-id from the incoming call).
Researchers have disclosed bugs in Google’s Android mobile operating system that allow attackers to surreptitiously install malware on users’ handsets.
The most serious of the two flaws was poignantly demonstrated on Wednesday in a proof-of-concept app that was available in the Google-sanctioned Market. Disguised as an expansion for the popular game Angry Birds, it silently installs three additional apps that without warning have access to a phone’s contacts, location information and SMS functionality and can transmit their data to a remote server.

Software Updates

Overview of the November 2010 Microsoft Patches and their status.
Google has released version 7.0.517.44 of Chrome for Windows, Mac OS X and Linux, a security update that addresses a total of 12 vulnerabilities, all of which the developers rate as ‘high’ priority. As part of its Chromium Security Reward programme, Google rewarded those who reported the security vulnerabilities with between $500 to $1,000. The developers also note that, in addition to the security fixes, the latest build includes an updated version of Flash Player. All users are encouraged to update to the latest release as soon as possible.
Fixes 134 flaws with Mac OS X update, 55 in Flash alone
Apple on Wednesday patched more than 130 vulnerabilities in Mac OS X, smashing a record the company set last March when it fixed over 90 flaws.
The update for OS X 10.6, a.k.a. Snow Leopard, and OS X 10.5, better known as Leopard, was Apple’s first since September and the seventh for the year.
Calling the update ‘huge,’ Mac vulnerability expert Charlie Miller pointed out that even with a staggering 134 patches, there were plenty of flaws still around.

Business Case for Security

Risk Informed Decision Making [blog.security-art.com]
In most organization, now days, information assets are fundamental; hence, a lot of resources are invested in protecting them. However, today, the decisions made by the management regarding the scope of invested resources is based on partial information in a “foreign” language – the technology language. Potentially resulting with excessive investments in protecting less business critical assets and lacking of investment on business critical assets. A solution to this challenge is in the ability to “translate” between business priority and technology challenges.
Information risk analysis is a relatively new discipline, and too often, information security risk decisions fall victim to one or both of the following fundamental problems: (1) the wrong people are making the decisions due to lack of clear decision as per who in the organization needs to manage the risk, what are his responsibilities and what is expected from him, which might lead to unmet expectations and objectives, lack of executive management support, and setting priorities which doesn’t make business sense and/or (2) decisions are made based on partial information, partial understanding of the risk, and without seeing the organization as a whole which generally results in spending on the wrong things, spending too much, or not spending enough
Ziring said that even within the NSA, the problems of application security remain maddeningly difficult to solve. The agency, which is responsible for both protecting the communications of the U.S. government and eavesdropping on those of hostile nations, faces many of the same challenges that private enterprises and other organizations do when it comes to writing secure applications and defending deployed apps.
‘Assurance is very hard to do for apps, especially lightweight, distributed apps. They don’t have a clean, waterfall lifecycle,’ Ziring said. ‘Very few applications start from a clean slate. They’re built on the existing code bases and they have to work with other existing apps and they have to be updated frequently.
10 Client Site InfoSec Rules [securethinkinguk.blogspot.com]
If you’re working on a client site, in addition to obeying their rules and policies on information security here are Secure Thinking’s 10 Client Site InfoSec rules you should employ to keep yourself and your information safe and protect the client.
1. Never leave equipment unattended
Laptops, phones, disks, memory sticks etc., should be taken with you, locked away securely or, in the case of laptops, locked to something solid with a Kensington style lock if they have to be left unattended.
2. Use encryption
Encrypt laptops, external disk drives, USB sticks to protect the data on them whilst on the move. This will help to protect your data should you lose an item of equipment or it is deliberately targeted.
show what wasn’t tested [blog.clearnetsec.com]
The chaos and confusion besetting all involved in security work due to how each participant defines popular security services doesn’t appear to be heading toward sanity any time soon (i.e. what is a pen. test to you?).
I also like the threat-centric approach, so I often add in the following questions:
What are the most important assets and why?
What threats worry the team the most?
..
And given the propensity of most businesses to think of security only in terms of their servers (à la Chris’ tweet), I make sure to point out what wasn’t tested:
Your business and common threat tactics:
Servers on the public Internet: tested
Application Security: minimal tests performed
Social Engineer: no tests performed
Phishing: no tests performed
Client-side: no tests performed
Wireless: no tests performed
Physical Security: no tests performed
This free 45-minute training is designed for organizations that plan to implement ISO 27001 and have already implemented ISO 9001. This session will explain how to use ISO 9001 to facilitate the implementation of ISO 27001 through the existing documentation and processes.
Date: December 1, 2010
Time: 10:00 AM New York time / 3:00 PM (15:00) London time / 4:00 PM (16:00) Brussels time / 8:30 PM (20:30) Mumbai time
Botnets have penetrated most Fortune 500 companies, and the United States leads the world in PCs infected with bots.
And Mac users beware-a new Trojan variant attacks Mac OS systems via social networking sites. If you see a message on a social network like Facebook that says ‘Is this you in the video?’ clicking the item could deliver your computer to a botnet-a network of hijacked machines deployed to steal content and launch distributed denial of service (DDoS) attacks on other sites.
So how do we stop these nefarious campaigns? Shortly after we ran a piece on Japan’s national anti-botnet strategy, we had the chance to hear a set of security presentations on botnets. The most comprehensive of these came from Fabian Rothschild and Peter Greko of the HackMiami nonprofit and Tom Murphy from the Bit9 security group. The two outfits laid out different strategies for fighting botnets-data obfuscation (making it harder for botnets to read computer content) and ‘white lists’ (carefully restricting what kinds of apps can be used on an enterprise or institutional network).
“Use of a PA-DSS compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide” – this is useful for ..ahem… reminding merchants about it.
“verify that no cardholder data exists outside of the currently defined cardholder data environment” – scoping stuff became much better and this also smells like DLP to me. In any case, I head DLP vendors are partying over this already
“Where virtualization technologies are in use, implement only one primary function per virtual system component” – this is what got added to 2.2.1 and it is great! Virtualization now officially in.
“Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities” – my guess is a lot of people read too much into this change of 6.2. It pretty much means the same: “bad vuln? fix it!” I don’t believe it will lead to reduced patching and increased risk acceptance. But I am sure some vendors that mix up firewall rules with vulnerability data will be ecstatic over this one…
Lessons learned from frequent attacks make banks good role models in defending against bad guys
Banks are under attack — not so much from gun-toting bank robbers, but from sophisticated cybercriminals.
Using programs such as Zeus to compromise customers’ PCs and siphon money from their bank accounts, cybercriminals stole or attempted to steal nearly $100 million in the first three quarters of 2009, according to the Internet Crime Complaint Center. Traditional bank robbers on average stole $4,029, and all the U.S. bank robberies in 2009 totalled about $35 million, according to the FBI’s Uniform Crime Reporting (UCR) project.
Department of Defense announced today that U.S. Cyber Command has achieved full operational capability (FOC).
Achieving FOC involved U.S. Cyber Command completing a number of critical tasks to ensure it was capable of accomplishing its mission. U.S. Cyber Command is responsible for directing activities to operate and defend DoD networks.
“I am confident in the great service members and civilians we have here at U.S. Cyber Command. Cyberspace is essential to our way of life and U.S. Cyber Command synchronizes our efforts in the defense of DoD networks. We also work closely with our interagency partners to assist them in accomplishing their critical missions,” said Gen. Keith Alexander, commander of U.S. Cyber Command.
The first ever, pan-European cyber security exercise “Cyber Europe 2010” ended successfully yesterday. More than 150 experts from 70 public bodies around Europe participated in the exercise. They were exposed to more than 320 incidents, or ‘injects’. The exercise was a first, key step for strengthening Europe’s cyber defense. The key challenge now is for the Member States to implement the identified ‘lessons-learnt’ during the exercise. The Agency also advocates that all Member States in Europe should consider conducting national exercises as to improve its Critical Information Infrastructure Protection (CIIP).
Two-factor authentication takes its toll on phishing, so attackers find ways around it, including SpyEye
Real-time phishing attacks that cheat two-factor authentication are on the rise around the globe as phishers adapt to the latest barriers put in their way, according to a team of researchers.
Researchers at Trusteer today said 30 percent of all attacks during the past two-and-a-half months against websites using two-factor authentication have been real-time, man-in-the-middle (MITM) methods that allow the attackers to bypass this stronger authentication. The data comes from a sampling of thousands of phishing attacks monitored by the researchers.

Web Technologies

This article is a basic introduction to AppSensor, an OWASP project that’s been gaining a lot of traction recently. It’s a fairly simple concept, and one that I think (and hope) will be implemented in lots of applications in the near future. If you’d rather watch a video about AppSensor, here is a good one from Michael Coates, the project lead. Alternatively, here is a very quick video of a demo of AppSensor. So, let’s get started …
What is AppSensor and why should I care?
AppSensor is an implementation of an idea called application layer intrusion detection. The concept is very simple. While we have controls like intrusion detection at the network layer and web application firewalls at the web layer to detect attacks, these tools work outside the application where they are missing some context. We don’t currently have a good paradigm to represent attack detection and possible response inside an application, unless you completely roll your own. There is actually an implementation of this concept in ESAPI, (see the IntrusionDetector interface) and AppSensor’s implementation can be used as a drop-in replacement for the default handler provided by ESAPI, but more on that later. For now, let’s talk about why you need AppSensor.
Can you find the vulnerabilities? 2010 answers [www.securityninja.co.uk]
Hi everyone,
I have to start this blog post with an apology; I should have posted these answers about a month ago! Thank you to James Robertson for reminding me about this!
Killmonster – SQL Injection
The Killmonster application has a SQL Injection vulnerability which allows users to bypass the user authentication check.
The users of this application must provide a username and password to authenticate and do this by entering their credentials into a form called login.php:
Spotting Websites Vulnerable to Firesheep [michael-coates.blogspot.com]
Part 2 of the firesheep series (Part 1 – understanding firesheep attack)
Here is an easy way to determine if a website is vulnerable to the Firesheep attack. (For the record, technically Firesheep is just a tool to easily exploit a website that does not send session cookies over TLS/SSL. You could perform this same attack with any number of tools.)
XSS is #1 threat in web application security. We all know it’s pretty common, from time to time we encounter a website where a single input field is vulnerable. Happily we send out alert(document.cookie) only to find out that session cookie is httpOnly (it’s a good sign!). On the other side we know that XSS gives us, white hats, an almost unlimited potential on how to alter the vulnerable page. We can:
deface it,
steal user’s form values
redirect to form a phishing attack
look at cookies
try to send malware through a drive-by download attack
and many more…
The next major revamp to hit the Web, HTML5, promises to make the Web more powerful and flexible for the sites that adopt it. So flexible, in fact, that hackers like Lavakumar Kuppan are already hard at work demonstrating how the bad guys can twist it into new malicious uses.
In a talk he plans to give at the Black Hat security conference in Abu Dhabi next week, Kuppan will show how HTML5 allows hackers to invisibly take over users’ browsers to send spam, launch a distributed cyberattack, or even contribute their computer’s processing power to the large-scale computing task of cracking a victim’s password.
Facebook gave a MySQL Tech Talk where they talked about many things MySQL, but one of the more subtle and interesting points was their focus on controlling the variance of request response times and not just worrying about maximizing queries per second.
But first the scalability porn. Facebook’s OLTP performance numbers were as usual, quite dramatic:
Query response times: 4ms reads, 5ms writes.
Rows read per second: 450M peak
Network bytes per second: 38GB peak
Queries per second: 13M peak
Rows changed per second: 3.5M peak
InnoDB disk ops per second: 5.2M peak
In our interview with Ryan Singer of 37signals, he mentioned something that is insanely exciting, and I’d like to draw more attention to it. It was hidden deep in the interview, so not many people discovered it. Here’s the deal …
There is nothing like Rails for mobile web app development, so 37signals are creating a web app MVC framework specifically designed for mobile phone web apps. The code will be comprised of local JavaScript, with the network just being used for data. The apps will work offline, when live data transfer isn’t required.
Kodu [research.microsoft.com]
Kodu is a new visual programming language made specifically for creating games. It is designed to be accessible for children and enjoyable for anyone. The programming environment runs on the Xbox [ and PC ], allowing rapid design iteration using only a game controller for input.

Network Security

Last week my company decided to upgrade our data network bandwidth of 1 GB to 10 GB. The last time we update the design, we found that the bandwidth of the 45 vlan more secure servers, taking into account that each uplink has the 1 GB limit, we gave as 2.8 Gbps total consumption, so we chose a FWSM blade inside a Catalyst 6513. Please look the following diagram:
Freebie apps can save you money, but deployment may not be so free
Over the past few years, companies have increasingly adopted considerably stronger password policies. Unfortunately, there’s still ample confusion in how to strengthen password policies and to mitigate password-focused attacks. I found dozens of mistakes in various security portals’ password-hacking whitepapers, seen respected security vendors recommending incorrect mitigations to conflated attacks, and took note of highly knowledgeable security teams operating on mistaken assumptions.
I understand the confusion: There are many different types of password attacks (and defenses) and so much incorrect information on the Internet. The following are a few myths about password security that often surprise even the most seasoned security admins.
Changing Passwords [www.schneier.com]
How often should you change your password? I get asked that question a lot, usually by people annoyed at their employer’s or bank’s password expiration policy: people who finally memorized their current password and are realizing they’ll have to write down their new password. How could that possibly be more secure, they want to know.
The answer depends on what the password is used for.
The downside of changing passwords is that it makes them harder to remember. And if you force people to change their passwords regularly, they’re more likely to choose easy-to-remember — and easy-to-guess — passwords than they are if they can use the same passwords for many years. So any password-changing policy needs to be chosen with that consideration in mind.
DNS Malware Detection Pivotal for Organizations [cybersecurityreport.nextgov.com]
Using DNS for malware detection in larger enterprises was the topic of discussion in this month’s SANS Internet Storm Center’s monthly threat update. Using DNS is becoming more and more commonplace, and for good reason. One of the advantages to using this particular safety measure is it’s easy to centralize, and if an enterprise has thousands or tens of thousands of desktops that can be a huge advantage over the mess it can be to update antivirus across such a large number of systems.
For it’s part, SANS ISC has put together a bootable Linux CD distribution that has everything you might need to run your own filtering DNS server. The ISC also put together some passive DNS analysis where all you do is sniff the traffic coming to the DNS server than come back with a query history that you can compare to various black lists. Both technologies have gotten a lot of positive response, and is easy enough to do on your own.
Scripting with Unix Date [isc.sans.edu]
I have been ‘playing’ with the date command for a while in various Unix shell scripts and found the following date options quite useful.
Setting Unix system date and time
* November 13, 06:30 a.m., 2010 do the following: date 111306302010
Unix epoch time to regular time
* date -d @1289524456 will provide a result of ‘Thu Nov 11 20:14:16 EST 2010’
Posted by ckirsch in General
Let’s assume your goal for an external penetration test is to pwn the domain controller. Of course, the domain controller’s IP address is not directly accessible from the Web, so how do you go about it? Seasoned pentesters already know the answer: they compromise a publicly accessible host and pivot to other machines and network segments until they reach the domain controller. It’s the same concept as a frog trying to cross a pond by jumping from lily pad to lily pad.
If you have already used pivoting, chances are high that you’ve used proxy pivoting. In other words, the payload you have deployed to a compromised machine to enable pivoting is a proxy that understands and forwards specific protocols. It works, but it can be very limiting.
Metasploit Pro introduces a new type of pivoting, which we’ve called VPN pivoting because it essentially creates a VPN gateway on your target machine to which you have an encrypted layer 2 connection. VPN pivoting creates a virtual Ethernet adapter on the Metasploit Pro machine that enables you to route any traffic through the target. Let me repeat that: “Metasploit Pro is the first and only pentesting solution to route any traffic through a compromised target”.
Real-world Hypervisor Exploits [www.flyingpenguin.com]
A bone of contention that keeps appearing in discussion of hypervisor compliance, especially in terms of the new PCI DSS 2.0 and NIST SP 800-37 risk-based methodologies, is that there are few real-world hypervisor exploit examples.
I have thus been compiling both quantitative and qualitative data. Here is one of the more interesting cases I ran across.
It is said that the researcher was not happy with the vendor response and so demonstrated the exploit at the 23rd Chaois Communication Congress (23C3) in late 2006. However, the system was patched only six days after the demonstration, which suggests a fix was already underway by the time the exploit was public.
Free toolkit lets organizations, developers test-drive new DNS security protocol
Renowned researcher Dan Kaminsky tomorrow at Black Hat Abu Dhabi will release a free toolkit that lets organizations test-drive DNSSEC deployment and also demonstrates his claims that the protocol is simple to implement.
‘I’ve been making a lot of claims and promises about what DNSSEC is capable of and why the security industry should care. This is the argument I’ve been putting forth, in code form. This is for real,’ says Kaminsky, who will make the Phreebird Suite 1.0 kit available tomorrow on the Black Hat website. Kaminsky gave a sneak peek demonstration of Phreebird at Black Hat USA in July.
IRISS Conference 2010 [www.iriss.ie]
IRISS will hold its annual conference on the 18th of November 2010 in the D4 Berkley Court Hotel in Ballsbridge, Dublin 4. This all day conference will focus on providing you with an overview of the current cyber threats facing businesses in Ireland and what you can do to help deal with those threats.
The IRISS Annual Conference is an opportunity to not only increase your knowledge but also to meet and network with your peers in a relaxed environment. There is no charge to attend our conference, however we would appreciate a donation to help cover our costs. You can make a donation via PayPal.
In parallel to the above speaking sessions Ireland’s premier Cyber Security Challenge, HackEire, will be held to identify Ireland’s top cyber security experts. HackEire will see 10 teams, up to a maximum of four people per team, compete against each other in a controlled environment to see which team will be the first to exploit weaknesses in a number of systems and declare victory. The purpose of the HackEire competition is to demonstrate how attackers could gain access to your systems and allow you to learn from the event on how to prevent such attacks from impacting your network.
Google Hacking Database Reborn [www.exploit-db.com]
The incredible amount of information continuously leaked onto the Internet, and therefore accessible by Google, is of great use to penetration testers around the world. Johnny Long of Hackers for Charity started the Google Hacking Database (GHDB) to serve as a repository for search terms, called Google-Dorks, that expose sensitive information, vulnerabilities, passwords, and much more.
Tethering Your Droid to a Linux System [carnal0wnage.blogspot.com]
Image my happiness with i got the droid update and saw usb tethering available.
Then image my sadness–>rage that VendorX wants to charge to charge another 15 bucks to tether.
so following the instructions from here it is possible to tether via USB on linux. Evidently PDAnet works great but i dont use windows cept for powerpoint and i cant afford a mac.
so here’s how to get it going if you dont want to click the link…plus i’ll never remember that URL.
Incident Response: Drafting the Team [www.bankinfosecurity.com]
Nearly a year ago, IBM’s client organization suffered a major malware attack. When Don Weber, then an incident response professional with IBM, arrived on-site with his team, they demonstrated timeline-based analysis that quickly provided them with system-based artifacts associated with the malware on the compromised systems.
Although the malware solutions were able to tell them which systems were currently infected, they had no way of telling which systems had been compromised, or whether the malware had been removed or instead rolled over to something that was not being detected.
This example illustrates that even the best information security infrastructure cannot guarantee that intrusions or other malicious acts will not happen. When computer security incidents occur, an organization must have an effective team to respond. ‘The effort with which an organization can recognize, analyze and respond to an incident will limit the damage and lower the cost of recovery,’ Weber says.
FireShepherd [notendur.hi.is]
FireShepherd, a small console program that floods the nearby wireless network with packets designed to turn off FireSheep, effectively shutting down nearby FireSheep programs every 0.5 sec or so, making you and the people around you secure from most people using FireSheep.
The program kills the current version of FireSheep running nearby, but the user is still in danger of all other session hijacking mechanisms. Do not do anything over a untrusted network that you cannot share with everyone.
-Know that this is only a temporary solution to the FireSheep problem, created to give people the chance to secure themselves and the others around them from the current threat, while the security vulnerabilities revealed by FireSheep are being fixed.
The response to the Firesheep plug-in for Firefox continues to be huge because the tool is so easy to operate, and because numerous services and users are still vulnerable. Firesheep allows attackers to access the accounts of other users on public networks. The counter at GitHub.com has so far registered more than 678,000 downloads.
PSK doesn’t mean Public Shared Key [blog.kismetwireless.net]
It’s recently been suggested that free hot-spots should switch to WPA with a known passphrase to help protect against attacks like Fire Sheep, a clever tool which integrates sniffing auth credentials from the air with your browser.
Short version: This won’t work.
Long version:
There’s a bunch of ways this reasoning is flawed:
Java Exploits [isc.sans.edu]
The recent Java JRE patch bundle released by Oracle contained a long list of security fixes, several of which for vulnerabilities that allow drive-by exploits. And since Java is present on pretty much every Windows PC, and people don’t seem to do their Java updates quite as diligently as their Windows patches, there are A LOT of vulnerable PCs out there. Microsoft reported on this a month ago, and called it an ‘unprecedented wave of Java exploiting’.
It doesn’t look like the situation has improved since, and the bad guys are taking advantage. Not surprisingly, the FAQ document on ‘Virus found in my Java Cache Directory’ is ranked third most popular of all the issues listed on http://www.java.com/en/download/help/index.xml. The two issues ranked ahead of it are also security concerns.. not a pretty picture for Oracle or Java, I’d say.
Let’s take a look at one of the popular exploits that are making the rounds, the ‘bpac’ family
It’s been a long road on this one, total line count for version 1.0 was larger then all of the other releases combined. This version adds several key components including new attack vectors, a web GUI interface, a way to automate SET behavior, and a slew of bug fixes. I have to thank everyone that contributed to this edition, there were a number of people that reported bugs on 0.7.1 that have all been addressed in this version and a new module added by a security company.
Be sure to check out the newly updated tutorials on the Metasploit-Unleashed course: Here or in the readme/User_Manual.pdf file.
Thanks everyone for your contributions and continuing to support SET, we have over 1.4 million downloads since its creation, that’s amazing!
Funny Vista Tricks with ASLR [erratasec.blogspot.com]
Posted by David Maynor at 11:32 PM
While doing alot of testing around the implementation of ASLR on both OSX and Vista I noticed something odd. 3rd party dlls in the Internet Explorer don’t seem to change addresses. See the screenshot below. Googletoolbar and flash9d stay at the same address through multiple reboots. I thought this was odd.
There has been a lot of talk recently in the security community about high speed GPU (video card) processors being able to crack passwords very quickly.
But there is a technology that can crack them even faster. A Swiss security company called Objectif Sécurité has created a cracking technology that uses rainbow tables on SSD drives.
Apparently it is the hard drive access time and not the processor speed that slows down cracking speed. So using SSD drives can make cracking faster, but just how fast?

Database Security

Top 10 Database Vulnerabilities and Misconfigurations [www.teamshatter.com]
TeamSHATTER (Security Heuristics of Application Testing Technology for Enterprise Research) has researched the Top 10 Database Vulnerabilities in order to provide you with the most up-to-date vulnerabilities, risk and remediation information.
Each category has a post explaining the topic and providing you with best practices for remediating the following issues. Please leave us a comment if you have any questions about these vulnerabilities or run a search with the Threat Finder to learn more about your vulnerabilities.
1. Default, Blank & Weak Username/Password
2. SQL Injections in the DBMS
3. Excessive User & Group Privilege
4. Unnecessary Enabled Database Features
5. Broken Configuration Management
6. Buffer Overflows
7. Privilege Escalation
8. Denial of Service Attack DoS
9. Unpatched Databases
10. Unencrypted sensitive data – at rest and in motion
Staffing changes, mixed security policies and standards, different types of data repositories with different applications all cause problems
In spite of other more dour economic indicators, 2010 has proved to be a strong year for merger and acquisition activity: Struggling companies have been putting up their shingles for favorable deals while healthy organizations have been looking for stronger performing investments over traditional ones depressed by lowered interest rates. That’s good for business, but it can certainly throw off businesses’ database protection as they deal with the curveball of integration pitched their way during the M&A process, security experts say.
Financial experts from Thomson Reuters recently reported that through the first nine months of the year there were 22 percent more M&A deals on the books compared with the same time frame last year. This rise in consolidation means IT and line-of-business experts need to be ready to not only hone their business integration deal plans, but also their security road maps.
Survey finds database managers out of the loop on overall security objectives, budget details, and strategies
A new set of survey results out this week showed that even as many DBAs are ready to assume the mantle of security practices in their daily duties, there still remains a communication disconnect between these data managers and the security and executive leadership ultimately responsible for data security across an organization.
The survey conducted by Unisphere Research and sponsored by Application Security Inc. queried over 750 members of the Professional Association for SQL Server (PASS). Responsible for large swaths of organizational information–66 percent of them are entrusted with managing 100 to 500 database instances–these data managers mostly consider themselves responsible for protecting the data they manage. And yet at the same time, they lack a grasp of the overall security objectives, budget details, and strategies across the entire organization.

Cloud Security

Top 10 Cloud Security Risks [blog.zeltser.com]
Like any model of IT services, the cloud introduces several security challenges specific to this paradigm of computing.
Below are my top 10 cloud-specific risks that customers should understand and address when adopting cloud services. This is a summary of the key aspects of my earlier post on the topic.
Many organizations haven’t defined an overall risk management framework within which to assess and address cloud-specific risks.
Infrastructure sharing introduces the possibility that a compromise to one component of the environment will affect its “neighbors.”
Consistently enforcing security controls is hard in a rapidly-changing environment.
In an outsourced hosting arrangement, which is often part of cloud services, take some direct control over IT away from the customer.
The hypervisor, which handles virtualization of cloud IT resources, may be exploited.
It may be possible to infer information about one virtual machine by observing the state of the shared system from another aspect of the underlying system and could even lead to code execution.
The cloud service provider might incorrectly configure the hypervisor and the associated tools, introducing a vulnerability into the environment.
The organization making use of cloud services will not know how to create a governance, risk and compliance (GRC) program that applies to the cloud environment.
Critical security and GRC tasks might not get done, because each party will assume that the other needs is responsible for them.
It may be hard define, validate and enforce security and related IT controls because inner-workings of cloud services may not be visible to the customer.

Mobile Security

I’ve seen that a bug which initially reported in Safari making also certain versions of Android vulnerable. This vulnerability had been used in the attached exploit to run a remote shell. Personally tested it with success on some Android devices (2.1)
Appears that shellcode is safe, but I will publish a newer/cleaner version of exploit to CVE-2010-1807 soon
The following CVE had been assigned to the Safari vulnerability CVE-2010-1807
A security firm disclosed holes today in mobile apps from Bank of America, USAA, Chase, Wells Fargo and TD Ameritrade, prompting a scramble by most of the companies to update the apps.
‘Since Monday (11/01/2010), we have been communicating and coordinating with the financial institutions to eliminate the flaws,’ research firm viaForensics wrote in a post on its site. ‘The findings we published reflect testing completed on 11/03/2010. Since that time, several of the institutions have released new versions and we will post updated findings shortly.’
The company had reported its findings to The Wall Street Journal earlier in the day. Yesterday, viaForensics went public with problems in PayPal’s iPhone app, spurring the online payment provider to action.
Dangers of Rooting Your Mobile Device [jack-mannino.blogspot.com]
Many people root or ‘jailbreak’ their Android and iOS devices in order to gain access to features limited by the security models of each respective platform. In exchange for added capabilities, these people are essentially accepting (with or without their knowledge) the fact that they’ve removed pretty much all security protections from their environment. This post will provide an overview of how the Android security model works, and detail some of the dangers of using a rooted environment. We will use Android as our platform of choice.
Each application installed in Android runs as a separate user in its own process space. Every application user has its own User ID (UID), and this configuration is designed to only allow that application to access associated files and databases. While it is possible to grant external applications the ability to access some of this information through Content Providers and by signing multiple applications with the same certificate, the default configuration does not allow it
I’m in Cannes preparing for European Symposium next week where several thousand people will come to talk about a vast range of IT topics. One session I’ll be running here is for CIOs on managing mobile devices and dealing with consumerisation and this has naturally led me to think about mobile security. Security has also been in the news recently as well, with today’s Register reporting on browser security vulnerabilities in Android to add to the reports from Coverity last week about the risk of kernel bugs.
Android is probably the least secure of the mainstream mobile platforms if only because it’s the least mature and has one of the least regulated app stores; but that doesn’t mean the others are particularly safe either. Even the best of them, RIM, is dependent on things outside the platform’s control, such as trusting the person who provides an application. And as we saw with the Etisalat trojan in 2009 even your network operator can’t always be trusted. And while I’m having a paranoid moment let’s think about all those relatively unprotected iPads stuffed with corporate documents and email that are the accessory of the moment, and platforms such as Windows Phone 7 which are so new that no-one has any idea how secure or otherwise they might be.
Hackers have identified a way of installing Android 2.2 Froyo on 2G and 3G iPhones, without having to plug the devices into a computer.
The tinkerers at Redmond Pie have described how older Apple handsets can be switched wirelessly to Android 2.2 Froyo in a bid to overcome perceived performance issues associated with running Apple’s latest version of iOS on older handsets.
Previous methods of installing Android on iPhones relied on connecting the iPhone to a PC.

Privacy

Anonymizer, Inc., a company that helps protect consumer’s privacy and offers anonymity solutions, announced today that it has developed Anonymizer Nevercookie, a free Firefox plugin that protects against the Evercookie, a javascript API built and made available by Samy Kamkar (same guy who brought you the Samy Worm and XSS Hacking to Determine Physical Location) who set out to prove that the more you store and the more places you store it, the harder it is for users to control a Web site’s ability to uniquely identify their computer.
The plugin extends Firefox’s private browsing mode by preventing Evercookies from identifying and tracking users.
Up until a couple of years ago, I used to say that the average person could protect his or her privacy on the Web. Even as the founder of an online reputation-management company, ReputationDefender, I believed it was possible-so long as you were willing to commit some time to doing it. Today, I tell people this: the landscape of personal data mining and exploitation is shifting faster than ever; trying to protect your online privacy alone is like trying to build your own antivirus software-really, really difficult. But whether or not you have the time (or money) to invest in the pros, there are a few simple steps we can all take to reduce the risk to our private data.
10 Commandments of Facebook [www.thesun.co.uk]
FACEBOOK can be a fun way to keep in touch with friends… but it can also be DANGEROUS.
IT security expert Dave Whitelegg explains: ‘Posting certain photos or information on the site puts you at risk of being fired, a victim of crime, or even worse. There are computer programmes called ‘data mining’ that sweep Facebook to collect dates of birth, phone numbers, addresses etc. That’s gold dust to criminals.’
Here Dave tells ANTONELLA LAZZERI the ten things you should never post on Facebook and why.
Flying Paparazzi Drones to Track Celebrities From Above [www.switched.com]
Today’s high-profile celebrities may have perfected the art of avoiding paparazzi on the streets of Beverly Hills, but they might want to turn their attention skyward, as well. That’s because celebrity photo agency Splash News is developing a camera-equipped drone aircraft to track the rich and famous from above. ‘It would strike fear in the hearts of every celebrity having a birthday party,’ Splash chief executive Gary Morgan tells the Wall Street Journal. ‘Call it C3paparazzo.’
That huge sucking sound you hear is Facebook, piling data from third parties into its mouth as fast as it can while it remains stubbornly greedy about releasing its own data to anyone it doesn’t like. Which is mostly Google these days, since Yahoo and AOL completely surrendered and Microsoft actually owns part of them.
Google shut them down last week, restricting API access and effectively blocking contacts exports to Facebook in any automated way. This is, I wrote, the true beginning of data protectionism.
Now Facebook has found a way around that restriction. They’re leveraging a Google feature that lets users download their own data for their own use – part of Google’s golf-clap worthy data liberation effort. They’ve hacked a solution around the block by giving users a direct deep link to the download feature. And then users can upload that file directly to Facebook.
German Minister of Justice Sabine Leutheusser-Schnarrenberger has informed us this week that she supports our position that if the EU Commission wants to uphold the policy of mandatory retention of all call records (‘data retention’) at all, the EU must at least leave it to national parliaments and constitutional courts to decide whether they wish to implement this policy or not. More than 100 organisations from 23 European countries are currently lobbying the EU Commission to ‘propose the repeal of the EU requirements regarding data retention in favour of a system of expedited preservation and targeted collection of traffic data’.[1] ‘I am permanently in touch with the EU Commission and will take your arguments into account in our upcoming discussions’, Leutheusser-Schnarrenberger assured us.
Tuesday the EU Court of Justice in Luxembourg ruled that ‘limitations in relation to the protection of personal data must apply only in so far as is strictly necessary’. It ruled ‘invalid’ EU requirements to publish every recipient of agricultural subsidies in the EU, deciding that this indiscriminate policy ‘exceeded the limits which compliance with the principle of proportionality imposes’. ‘[I]t is possible to envisage measures which affect less adversely that fundamental right of natural persons and which still contribute effectively to the objectives of the European Union rules in question’, the Court held

Tools

Seccubus [seccubus.com]
Easy Automated vulnerability scanning and reporting
Seccubus 1.5.3 released – Lots of small bugs, still make a lot of noise
I just released version 1.5.3 which fixes lots of little bugs that I did not want to wait for Seccubus version 2 to fix. Please have a look at the release notes below and upgrade if you need to.
EnforcePermanentDEP [blog.didierstevens.com]
Like its name reveals, EnforcePermanentDEP is a DLL to switch on permanent DEP in the loading process.
Free Computer Forensic Tools [www.forensiccontrol.com]
The table below lists a selection of free computer forensics software and resources. It is the end user’s responsibility to check the licensing agreements of each one before use. Forensic Control provides no support or warranties for their use. The version numbers and links are correct as of 9 October 2010. *Entries marked with a star indicate that registraion is required.
Katana v2.0 Release [www.hackfromacave.com]
Katana is a portable multi-boot security suite which brings together many of today’s best security distributions and portable applications to run off a single Flash Drive. It includes distributions which focus on Pen-Testing, Auditing, Forensics, System Recovery, Network Analysis, and Malware Removal. Katana also comes with over 100 portable Windows applications; such as Wireshark, Metasploit, NMAP, Cain & Able, and many more.
DDOSIM v0.2 has been released [security-sh3ll.blogspot.com]
Application Layer DDoS Simulator
DDOSIM simulates several zombie hosts (having random IP addresses) which create full TCP connections to the target server. After completing the connection, DDOSIM starts the conversation with the listening application (e.g. HTTP server). Can be used only in a laboratory environment to test the capacity of the target server to handle application specific DDOS attacks.Is written in C++ and runs on Linux
VERIS Community application launched [securityblog.verizonbusiness.com]
Today marks another milestone in our long-term VERIS project to collect incident data and make it more available to the security community. For the past few years, we’ve published the Data Breach Investigations Reports, which present statistics based on forensic investigations conducted by our IR services. Last March, we publicly released the Verizon Enterprise Risk and Incident Sharing (VERIS) framework used to collect data for the DBIR series. VERIS provides a common language for classifying incidents and removes a long-term roadblock to the goal of more widely available information on security incidents.
Today we introduce the VERIS Community application, designed to make sharing such information possible and practical.

General

Remember Square? Well, the innovative company launched last December by Twitter co-founder Jack Dorsey has finally opened its doors to the public after a 10 month private pilot. Now anyone can request a free credit card reader for their iOS device from the Square website.
After setting up an account on its Web site, Square ships you a small credit card swiping dongle (pictured) that turns any iPhone (or iPod touch or iPad, for that matter) into a mobile credit card terminal. After installing the free iOS app you can begin accepting credit cards immediately by keying the card number directly into the app. After that the buyer signs on the touchscreen to confirm the purchase.
If you are a parent and you want your teen to be able to use Facebook without either of you having to worry that your child is sharing too much personal information, there’s a new resource that can help. A Parents’ Guide to Facebook offers hands-on, step-by-step instructions and illustrations, as well as information on safety, privacy, and reputation protection; and it covers the use of Facebook on computers and cell phones. It also offers specific recommendations for configuring privacy settings, noting that the default Facebook settings are not as privacy protective as they should be, even for adults. The guide is being debuted at the fourth annual Family Online Safety Institute conference by the iKeepSafe Coalition and Connect Safely, a project of the nonprofit Tech Parenting Group.
Yesterday’s latest batch of Patch Tuesday security fixes from Microsoft will have made their presence felt amongst many Windows users, but that doesn’t mean that Mac users get away scot free.
Mac OS X users may think that by not running Windows they’re untouched by flaws in software written by Microsoft, but of course the company makes much more than just an operating system.
A couple of weeks ago, Microsoft issued a major new version of Microsoft Office for the Mac – Microsoft Office for Mac 2011 – giving users new versions of Word, PowerPoint, Excel to run just like their Windows-loving friends and colleagues.
Two security software makers are complaining about Microsoft using its update service to deliver its free antivirus software to Windows users who don’t have such protection on their computers.
No, it’s not 1998. And we’re talking about allowing customers to choose whether they want the software, rather than bundling a particular browser–say Internet Explorer–on Windows.
Microsoft began making its Security Essentials software available to customers through its Microsoft Update service as an optional download on November 1 for U.S. customers and October 19 for U.K. customers. It offers the download only to customers who do not have an antivirus solution that is detectable by Microsoft’s Action Center.
All-in-One Skimmers [krebsonsecurity.com]
ATM skimmers come in all shapes and sizes, and most include several components – such as a tiny spy cam hidden in a brochure rack, or fraudulent PIN pad overlay. The problem from the thief’s perspective is that the more components included in the skimmer kit, the greater the chance that he will get busted attaching or removing the devices from ATMs.
Thus, the appeal of the all-in-one ATM skimmer: It stores card data using an integrated magnetic stripe reader, and it has a built-in hidden camera designed to record the PIN sequence after an unsuspecting customer slides his bank card into the compromised machine.
For the first time in its 13-year history, Microsoft’s Hotmail comes with the ability to protect email sessions with secure sockets layer encryption from start to finish.
It’s the same always-on encryption Google Mail has offered for more than two years. And it comes with some pretty extreme limitations – namely the inability to protect email that’s downloaded using Microsoft apps including Outlook Hotmail Connector (required to use Outlook with Hotmail) and Windows Live Mail. But to hear Microsoft describe the new feature, you’d think it was a cure for the common cold.
Following the lead of Mozilla and Google, Barracuda Networks is launching a bug bounty program that will pay out cash rewards for vulnerabilities found in the company’s own products.
The move by Barracuda, a maker of mail security and data protection products, is the first such bug bounty program offered by a pure security technology vendor. Mozilla and Google are the two most prominent examples of general technology companies that offers rewards for vulnerabilities, and both of those companies have seen their programs succeed in the last year. In fact, both Google and Mozilla have raised the prices that they pay for the most severe bugs, with Mozilla shelling out up to $3,000 and Google paying as much as $3,133.7 for bugs.
Facebook has quietly begun testing new account-protection features but the scary wording of prompts to try out the technology might easily be mistaken for a sophisticated phishing attack.
Users of the social network might be offered the protection via an ad in the side panel which reads: ‘Your account protection is very low – increase protection’. Clicking through the ad leads to a page on Facebook that encourages users to submit a second email address and a phone number. In some cases it also asks users to change their security question.http://www.theregister.co.uk/2010/11/11/facebook_account_protection/
Go Daddy offers vulnerability site scanning tool
A lot of the news concerning Internet domain registrar and Web hosting company Go Daddy that we covered lately had to do with compromised sites hosted on its servers.
And that’s probably the reason why the company decided to create its own Site Scanner, which scans forms, login and password fields, internal and external links on the site, and looks for 3,000+ vulnerabilities every day, so that attackers can’t steal customer information, infect them or deface the website.

Funny

A scary pumpkin! [sphotos.ak.fbcdn.net]
Sore point
The British rap star DJ Ironik was in hospital last night after being stabbed in the left buttock by robbers who had tracked him by Twitter.
DJ Ironik was mugged outside his home in North London at 3am Saturday as he returned from a gig in Southend.
(Read Act I & Act II)
THE SOUND of typing can be heard and then suddenly a loud groan of disappointment.
DEV LEAD
Argggggggggggggggg!!!
FADE IN:
INT. CORPORATE OFFICE
THE DEV LEAD is looking at his bug queue in HP Quality Center, the bug count is 6,894 defects, all assigned to him. The DEV LEAD yells over the cube wall to one of his DEVELOPERS.
DEV LEAD
Hey you screwed up the bug triage again man, I’ve got 6,833 bugs that shouldn’t be there in my queue, what the heck man?
The other day, my friend Steve and I had a ‘Husbands Cook for Their Wives’ night in which we hoped to accomplish several things. First, we thought it would be a good way to add to the Husband Bank of good deeds. Second, it was an excuse to drink beer on a Tuesday afternoon. And third, Steve would transfer his vast knowledge of cooking methods to my ignorant self. It was this third objective that went terribly wrong.
Among my duties that night was chopping the jalapeño peppers. I had never prepared a meal with jalapeño peppers, and I didn’t know much about them. The conversation went something like this.
Steve: You should wear rubber gloves to cut the jalapeño peppers.
Me: Really? Is that necessary?
Steve: Yes. Do you have any rubber gloves?
I knew we had some rubber gloves somewhere in the house, but finding them would require the help of my wife, Shelly, and I didn’t want to bother her on Husbands Cook for Their Wives Night. So I pressed the point.
dogbert the consultant [www.dilbert.com]
TSA logo [imgur.com]
MAC vs PC [i.imgur.com]